Goodbye Cloudflare! My review after 1 year of their Business Plan

For the last year or so, we’ve used the Business Plan at Cloudflare. This is my review of that experience. BUT, in the end, you, the user, will be the one who tells us how the experience is.

Our server infrastructure is simplistic, a physical server all to ourselves. Hosted at Softlayer/IBM. Then we have redundancies. I made sure that end of the equation was good. I’ve refactored it several times and can spin up a new server instance in no time (though it’s a bit stressful if done on-demand).

A traditional CDN serves up your site’s static content, like images, from edge nodes around the world. This makes those objects faster. Cloudflare is a different beast. It routes *all* traffic through its servers, in the process decrypting it, parsing it, modifying it, re-encrypting it …

When I discovered Cloudflare, I was amazed. I thought I had found the solution to lots of problems. They delivered more than 90% of our bandwidth, cached at the edge nodes. That’s not bad! They ensured our server was compatible with the latest standards and protocols, some experimental. They made sure our content was optimal and secure.

But the price you pay is heavy. Over the last year, I’ve paid them $2400, for those of you who need a quick calculator. This bought me no special treatment, believe me. The speed penalty is what got me in the end. I am sure a free plan would have served almost as well, to be honest, or the $20 plan for sure. I thought, “You get what you pay for” though and I always *must* keep our infrastructure stable. I mean, it’s a darn critical day if the server is down! So, I invest in that portion of the business, as opposed to being cheap. In this case, I should have went cheap.

A traditional CDN serves up your site’s static content, like images, from edge nodes around the world. This makes those objects faster. Cloudflare is a different beast. It routes *all* traffic through its servers, in the process decrypting it, parsing it, modifying it, re-encrypting it, then passing it along. That works great if you have mostly cached content, but for sites like ours with full HTTPS, it is problematic because you have to be careful about what you cache. In other cases you might just not cache any encrypted content to be safe, but I designed the site in such a way that I had static encrypted content, then dynamic encrypted content not-cacheable.

Anyway, this improved load speed on static, cacheable content allowed me to accept a slight delay in page speed load times, as it sped up downloads and reduced server load and bandwidth dramatically. This was fine, if a bit wasteful (given the lack of advantages of the $200/mo plan in hindsight – I had hoped for better service and traffic prioritization), until one day

Until one day…

Ironically, it happened right after I made a remark about a critical parsing bug they had last month on an ‘answer’ the CEO had written. Now, I’m not saying it is related. No way what I have to say is that important to anyone. BUT, none-the-less, the next day I found server performance was crippled through Cloudflare. Page load times had doubled. Everything was timing out. It was a disaster.

A network engineer at Cloudflare quickly *validated* the issue (from the UK there was a 30 second fresh and full page load time direct, 60 second through them – both high, but point made) and traced it to an ‘upstream provider’. Now, what that means is the Internet backbone. Had I then went to Softlayer/IBM, they’d tell me it’s a ‘downstream provider’ issue. Not my server, not the routers in my data center,  according to him, it was part of the Internet backbone. If that is the case, I have absolutely no leverage over them and they have no accountability to me. Cloudflare sure would have some leverage, but they could not, or would not, lobby on my behalf, ASSUMING that was even true, as we saw it worldwide.

Here are the test results from the edge node in the UK, while verifying what I was seeing in the USA and in China. This is archived in Gmail email during the Support Ticket when I contacted them.

Overall Comparison  CloudFlare  Origin     Difference  Percentage
------------------  ----------  ---------  ----------  ----------
Total Requests      111         111        0           0.00%
onLoad Time         62.09s      30.04s     -32.05s     -106.68%
Total Size          2262.90KB   2337.80KB  74.89KB     3.20%
Total Time          718.61s     62.02s     -656.59s    -1058.62%

CF Page Weight  #    Size       %
--------------  ---  ---------  -------
Cache HIT       68   1477.76KB  65.30%
Cache EXPIRED   14   43.46KB    1.92%
NOT Caching     8    33.85KB    1.50%
External        21   707.84KB   31.28%
Total           111  2262.90KB  100.00%

TTFB     CloudFlare  Origin  Difference  Percentage
-------  ----------  ------  ----------  ----------
Minimum  6           7       1           14.29%
Maximum  35077       689     -34388      -4991.00%
Average  6456.0      54.0    -6402.0     -11855.56%

Direct to Origin Tests

Direct to Origin Tests

Through Cloudflare

Through Cloudflare 2x delay

The damage done was to my time. I had wasted a day I could have been coding, lost revenue, and almost (had the timing been a bit worse) had even bigger problems.

Cloudflare''s Impact on Google Bots

Cloudflare”s Impact on Google Bots

Another graph now available, damage done to our click-through rate at Google:

Impact on Google Search

Impact on Google Search

Who knows the truth. Maybe some other Cloudflare site was under DDoS attack or they filled one of their internal pipes to capacity a little too much (they brag about filling ‘pipes’ [fiber] to capacity) – though it was equally inaccessible worldwide as best we could tell – had simultaneous tests in UK, USA, and China.

The damage done was to my time. I had wasted a day I could have been coding, lost revenue, and almost (had the timing been a bit worse) had even bigger problems.

In any event, I found disabling Cloudflare and switching back to a simple image-based CDN improved site performance. If/when we are under attack, I’ll enable a similar service, but until then – there’s just no reason to. All those optimizations they sell you on just do not make up for the performance penalties, AND the critical issue of privacy, as others have argued in ideological opposition to Cloudflare because they do intermediate decryption of the data without the user ever knowing, creating many possible points of interception of data throughout the world. Some web sites don’t even encrypt on the ‘other side’ (Cloudflare to origin server), as it’s cheaper. They call this ‘Flexible’ HTTPS, and it’s definitely very problematic, which is why we never used it.

I found disabling Cloudflare and switching back to a simple image-based CDN improved site performance. If/when we are under attack, I’ll enable a similar service, like Sucuri, who I’ve also used and liked. But until then – there’s just no reason to. All those optimizations they sell you on just do not make up for the performance penalties, AND the critical issue of privacy …

Naturally, in downgrading (to the $20 a month plan), I got no credit for time remaining and got charged again <sigh>. I’ve now downgraded to the Free Plan and asked for a refund because we’ve all validated Cloudflare will not work with my site. Update: They did refund the last month’s payment.

And to be both honest and non-biased, here are the results of the additional Server Load as it took upon Cloudflare’s responsibilities. It is unfortunate that Cloudflare was untenable for us. Any issue allowed to persist for more than a day is unacceptable for any paid web service provider! I mean, this is my family’s livelihood!

This is a dual CPU (SMP) server, hence the two graphs. They are not duplicates, if you look closely, lol. Due to distribution of computing resources, you end up with both processors pretty close in stats. NOTE THIS IS NOT ACCURATE as the period before we disabled Cloudflare had almost no traffic getting through. A longer range picture shows less of a difference, but still a remarkable savings in server resources. That’s why we were drawn there, their potential is so tempting, so sweet. It is almost like a Honeypot.

Server Load after Disabling Cloudflare

Server Load after Disabling Cloudflare

So, we say goodbye, at least for now. But what I need to know, how is the site experience for you? Yes, I know it will never compete with generation 1 of the site, but times change guys. We are comparing it to last week, not 2 years ago. How is working for YOU? Please comment below.

  • Just with with the free plan, sites aren’t enough large that would require the business plan. Sometimes I do that that we don’t require the business plan at all. When you think about it, they amount that you spend on that kind of plan, if it was to be spent on server or other resource would benefit you much better on a term or case basis. However it does have and offers great protection against attacks. After reading your case it surely seems that you were better without Cloudflare however they keep on improving, maybe others might not face what you experienced.

    Overall its all personal and business preference, as it all comes down to what exact features we will be using if we are investing in it, and is it worth the investment.

  • Yes, just be careful. My experience has shown that it seems to be a little like cloud servers (or VPS’s before them). They are great at first, then someone decides they need to be ‘maxed out’ for efficiency. This is great until there is abnormal load by any one client, then everyone suffers. That is why I don’t use Cloud servers anymore, except as redundancies or safety isolation servers (like our old forum).

    Now, instead of machines, we are talking about ‘pipes’ (to use the old plumbers analogy).

    It is a business decision, and benefits small companies more than large it seems. For that reason, I think their Business and Enterprise plans are just for show. Once they have dominated Wall Street, I expect we’ll see a marked decline in performance for ALL their customers, as they can not sustain what they have today, IMHO.

    Plus, their growth rate has triggered some alarming bugs. The parsing error I commented about was literally a classic buffer overflow. In this day and age! I had expected the code parsing my web site to be reviewed 100x over, not ‘tested on the free users’ as the CEO publicly stated as a rationale for allowing this amount of free services.

    And Cloudflare didn’t even discover the parsing bug that has existed for months/years, it was a Google Engineer who found the problem and alerted them.

    Now, *I* have my own bugs, so don’t mean to be critical, but I am one man, and Cloudflare is .. well .. huge, so the standards are different. Plus, their code *has* to be more secure and vetted on their side, since it affects millions of sites. In fact, I would say they need to open source everything for peer validation at this point.

  • Article updated to replace meaningless data with the data that shows the problem (which still exists today, allowing me to get new screenshots of the tests). They had tried to mislead me into thinking it was not in their network, when their own tests show it absolutely was.

  • Not sure why you didn’t just lease a reputable VPS which would already have DDoS protection and most of the other services cloudfare offers. Then you could use CF for caching static content. Can you elaborate on this please?

  • We have an actual physical server all to ourselves hosted by IBM. No VPS. No cloud server. No virtual machine. No shared server, a physical server. Hence, we had no problem handling the traffic. The other benefits of Cloudflare were what drew me to it. Had it never suddenly went down, it would have been fine. And Cloudflare isn’t really designed to act like a traditional CDN (not that you couldn’t use it as one with effort), as I described in the article. Traditional CDNs don’t route ALL traffic through their servers.

  • Note I edited and amended my first response to be more comprehensive. Definitely I did not use CF to go cheap on the server side, we’ve run a physical server for over a year because I found even the largest cloud servers eventually could/would have performance penalties from other sites on the machine. I used CF because of all it’s fancy features, and there are a lot. It was all good *until* my page would no longer load when routed through CF (a situation that persisted at least 48 hours, may still persist, I dunno). When CF no longer allows your page to load, and their engineers shrug their shoulders, that is a deal breaker.

  • TripleRLtd

    Actual question by Jeremy: “…But what I need to know, how is the site experience for you? ”

    The site is loading just fine, as usual for me (although I don’t check in too often: perhaps monthly?), so, I would think the “downgrade” was just fine looking at it from outside on the net, and FL in particular, on low speed DSL. ;)

    ps
    Checking out (beta testing some of your “alpha version” tools: JunctionShell Ext and CacheMgr. Will let you know how it goes.

  • UPDATE: In fairness, I am still using their DNS and using their services from time to time. This is because they so dramatically reduce the load on the origin server(s), at least *when their network is working*. I am going to set up an automatic fail-safe of some kind to ensure that we switch away when their performance takes a plunge. No way am I going to take the fall-out from some free site getting DDoS’d. I also briefly had troubles while trying to switch nameservices, having DNSSEC enabled (need to let the disable at registrar propagate first).

    Anyway, it is nice having an A+ rating on our dedicated HTTPS certificate, as opposed to my best ‘B’ rating on our own certificates. Further, this may (or may not) resolve an issue one user had in Australia. I saw curious cases of old IPs lingering for days/weeks past their TTL.

    So, they aren’t all bad, but must be used judiciously, and you must remember that more money buys you no special treatment. Once I have automated the scripts to ‘turn off’ Cloudflare as soon as it goes bezerk, I’ll publish them, so other users of this service can do the same.

    The only reason I didn’t just go to Sucuri for these occasional services was the fact that Cloudflare *did* refund me my last monthly payment, and while they tried to ‘spin’ their way out of an issue their own tests showed was on their end (something that caused me to just quit listening tbh, I quit listening when I recognize I am being misled), at least they recognized it as such. And I’m now on the $20/mo plan, which is much more affordable and has all I need (apparently, since there is absolutely no traffic prioritization on their network, which is either good or bad.. but I call it bad when they host so many free sites).

Error: Please enter a valid email address

Error: Invalid email

Error: Please enter your first name

Error: Please enter your last name

Error: Please enter a username

Error: Please enter a password

Error: Please confirm your password

Error: Password and password confirmation do not match